Events and Information

Writing Malicious Code 101: Infinite Loops

How to knock over an ExtraHop with poorly written triggers.

I'm taking a quick hiatus from our Trigger Optimization 101 series to discuss how not to write triggers. I had the good fortune, recently, of crushing an ExtraHop appliance through a subtle mistake in some trigger code. Take a quick peek at the incoming data breakdown.

If I'm doing my math right, 170Mb/s is less than the advertised 20Gb/s. How did I achieve such poor performance?

Regular Expression + Infinite Loops => Profit

TL;DR: "Do not place the regular expression literal (or RegExp constructor) within the while condition or it will create an infinite loop if there is a match due to the lastIndex property being reset upon each iteration"
--RegExp.prototype.exec()

Both exec and match let us use regular expression to pull fields from a string using capture groups. However, with exec, we can loop to extract multiple matches. Take the following string:

username:kenp username:dillonf

I want to pull out the usernames so I'll use /username:(\w+)/g for my regex. Breaking it down:

Comparing the two methods, both returned an array of values but exec pulled out the username "kenp" but did not match "dillonf", while match returned both username matches but didn't extract the actual usernames.

To work around these limitations, exec can be called multiple times in a loop and will continue to find patterns which fit the regex while extracting capture groups. When the string is exhausted and there are no more matches, exec returns null. With this information, I naively put together code like the below:

When we create a new regex for each iteration of the loop, we are losing the index of the previous match. Instead the regex matches the same substring again, causing an infinite loop. The fix is easy enough: scope the regex outside of the loop: